A service provider is an entity (e.g., a business or an organization) that sells bandwidth of or access to a network (e.g., the Internet, a data network, a telecommunication network, etc.) associated with the service provider. Service providers may include telecommunications companies, data carriers, wireless communications providers, Internet service providers, cable television operators offering high-speed Internet access, etc. Service provider networks enable third party application developers to create applications that use network resources, such as location systems that determine locations of mobile communication devices. These applications make requests to a network device, such as a gateway. The network device processes the requests and sends the requests to service provider systems that provide services, such as determining the locations of mobile communication devices, messaging, and/or other services. Such service provider systems may be referred to as enablers.
The service provider network defines application programming interfaces (APIs) for third party application developers to access the capabilities of enablers in the service provider network. A third party application often needs to authenticate a person (i.e., an end user) using the third party application, and often provides some form of authentication of the end user. However, in many cases, it is preferable to have the service provider network perform this function on behalf of the third party application. For example, if a developer would like the service provider to bill for an end user's use of the developer's application, the service provider network needs to authenticate the end user of the application. The third party application not only needs to identify the end user, but also needs to receive a level of assurance for that identification.
The generic bootstrapping architecture (GBA) is a technology that enables authentication of a user, of a mobile communication device, for using third party applications and/or network resources. In the GBA, user authentication is instantiated via a security key (e.g., a GBA key) that may be provided in a Universal Integrated Circuit Card (UICC) of the mobile communication device and in another network device, such as a network application function (NAF). The GBA may authenticate the user, for using an application, by requesting the security key from the UICC and from the NAF, and by verifying that the security keys match each other.
Security keys may be generated for each third party application, and may be based on a variety of parameters. For example, the 3rd Generation Partnership Project (3GPP) Technical Specification (TS) 33.110 specifies that the GBA Ks_local key generation may depend on the following parameters: an Integrated Circuit Card Identification (ICCID); a Bootstrapping Transaction Identifier (B-TID); a random (RAND) challenge generated by a Home Location Register (HLR); a user equipment (UE) identifier (e.g., a mobile equipment identifier (MEID), an International Mobile Equipment Identity (IMEI), etc.); a UE application identifier; a UE UICC identifier; a counter limit; etc. The GBA key may be customized to a specific application, for a specific UE, for a specific UICC, for a specific Long Term Evolution (LTE) session, using a specific network challenge value, etc. However, security key customization and proliferation makes security key management complex, difficult, and expensive for service providers since an overwhelming number security keys are generated for applications.